API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web

Presented at Black Hat USA 2019, Aug. 8, 2019, 11 a.m. (50 minutes)

<span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">The 2016 WWDC saw the dawn of Apple Pay Web, an API that lets websites embed an Apple Pay button within their web-facing stores. Supporting it required a complex request flow, complete with client certificates and a custom session server. This proved detrimental, since Apple failed to caution against important side effects of taking in untrusted URLs. As a result, many new SSRF vulnerabilities entered the world. Worse yet, while they were exploitable and discoverable in similar ways, they were spread across distinct codebases in several programming languages, so could not be patched in any generic way.</span><br><br><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Apple is not alone - in the process of gluing the web together, Twilio, Salesforce, and others have all created similarly broad attack surfaces. When companies fail to take an honest, empathetic look at how clients will use a product, they shove along hidden security burdens. Those who integrate with an API have less context than those who create it, so are in a worse position to recognize these risks.</span><br><br><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Engineers have been talking about defensive programming for decades, but top companies still have trouble practicing it. <span style="background-color: initial;" data-mce-style="background-color: initial;">In this talk, we explore these mistakes with demos of affected </span><span style="background-color: initial;" data-mce-style="background-color: initial;">software, and propose actionable ways of rethinking API security.</span></span>

Presenters:

• Joshua Maddux - Software Engineer / Security Researcher, PKC Security
  Joshua Maddux started out as a software engineer. After a few years, having introduced his share of bugs to the world, he turned his life around and started hunting for vulnerabilities. Now at PKC Security he does a mix of software development and white-box penetration testing, with a focus on helping startups move fast without breaking too many things. Aside from pentesting for clients, Joshua is also active in the bug bounty world. His past research has led to security updates in Java, Gitlab, United Airlines, Zapier, and others.

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#api-induced-ssrf-how-apple-pay-scattered-vulnerabilities-across-the-web-14462
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/API-Induced SSRF How Apple Pay Scattered Vulnerabilities Across the Web.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/API-Induced SSRF How Apple Pay Scattered Vulnerabilities Across the Web.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=W1YaiK26N6c

Similar Presentations:

• Black Hat Asia 2020 Virtual / Complexity Killed Security
• Black Hat Europe 2018 / The Mummy 2018 – Microsoft Accidentally Summons Back Ugly Attacks from the Past
• Black Hat USA 2019 / Biometric Authentication Under Threat: Liveness Detection Hacking